1. 技术文章
  2. How to remove Enhanced Key Usage using New-SelfSignedCertificate

How to remove Enhanced Key Usage using New-SelfSignedCertificate

情到浓时终转凉″ 提交于 2021-01-07 03:52:29

问题


After running the following command, the Extended Key Usage / Enhanced Key Usage is showing both client and server authorization, how do I remove this option for Root CAs and Intermediate CAs, as CAs should not have these options. What other parameters should be added into the New-SelfSignedCertificate to remove the option below? Client Authentication (1.3.6.1.5.5.7.3.2) Server Authentication (1.3.6.1.5.5.7.3.1)

Windows 10 Power Shell v5 openssl 1.1.1

$RootCA = New-SelfSignedCertificate -Subject 'CN=KeyCARootCN,O=Test Organisation, OU=Test RootCA,C=AU'  -KeyLength 2048 -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -KeyExportPolicy Exportable -KeyUsage KeyEncipherment,DataEncipherment,CertSign,DigitalSignature,CRLSign -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -NotAfter (Get-Date).AddYears(40) -KeyUsageProperty All -TextExtension @(“2.5.29.19 ={critical} {text}ca=1&pathlength=5”) -CertStoreLocation Cert:\LocalMachine\My
$RootCA
$RootCAthumbprint = $RootCA.Thumbprint


$CertRootCAPassword = ConvertTo-SecureString -String “Test123” -Force –AsPlainText
$CertRootCAFilePFX = Export-PfxCertificate -Cert cert:\LocalMachine\My\$RootCAthumbprint -FilePath C:\Users\KeyCARoot.pfx -Password $CertRootCAPassword

$CertRootCAFileCER = Export-Certificate -Cert $RootCA -FilePath C:\Users\KeyCARoot.cer

$CertRootCAFileCER
$CertRootCAPath = 'C:\Users\KeyCARoot.cer'

回答1:


Give this a try:

Import-Module PKI

$params = @{
    Type = [Microsoft.CertificateServices.Commands.CertificateType]::Custom
    Subject = 'CN=KeyCARootCN,O=Test Organisation, OU=Test RootCA,C=AU'
    KeyLength = 2048
    KeyAlgorithm = 'RSA'
    HashAlgorithm = [System.Security.Cryptography.HashAlgorithmName]::SHA256
    KeyExportPolicy = [Microsoft.CertificateServices.Commands.KeyExportPolicy]::Exportable
    KeySpec = [Microsoft.CertificateServices.Commands.KeySpec]::Signature
    KeyUsage = @([Microsoft.CertificateServices.Commands.KeyUsage]::CertSign,
        [Microsoft.CertificateServices.Commands.KeyUsage]::DigitalSignature,
        [Microsoft.CertificateServices.Commands.KeyUsage]::CRLSign)
    KeyUsageProperty = [Microsoft.CertificateServices.Commands.KeyUsageProperty]::All
    TextExtension = @('2.5.29.19={critical}{text}ca=1&pathlength=5')
    NotAfter = (Get-Date).AddYears(40)
    Provider = 'Microsoft Enhanced Cryptographic Provider v1.0'
    CertStoreLocation = 'Cert:\LocalMachine\My'
}

$RootCA = New-SelfSignedCertificate @params

In general, you may have over-specified some options that aren't necessary. As you can see from above, I simply added a Custom certificate type, removed the KeyEncipherment and DataEncipherment Key Usage options, and swapped-out the CSP provider. Retaining all the signing options for Key Usage should suffice for Root and Intermediate CA certs.

Optionally, you could add ,'2.5.29.37={text}2.5.29.37.0' to your TextExtension list if you wanted your Enhanced Key Usage to be "Any Purpose".



来源:https://stackoverflow.com/questions/64929379/how-to-remove-enhanced-key-usage-using-new-selfsignedcertificate

标签
powershell
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!